P
US7796751B2ExpiredUtilityPatentIndex 93

Certificate-based encryption and public key infrastructure

Assignee: NTT DOCOMO INCPriority: Aug 28, 2002Filed: Oct 3, 2008Granted: Sep 14, 2010
Est. expiryAug 28, 2022(expired)· nominal 20-yr term from priority
Inventors:GENTRY CRAIG B
H04L 9/0847H04L 9/0836H04L 9/3073H04L 9/3265
93
PatentIndex Score
22
Cited by
73
References
83
Claims

Abstract

A digital message can be sent from a sender to a recipient in a public-key based cryptosystem comprising an authorizer. The authorizer can be a single entity or comprise a hierarchical or distributed entity. The recipient can decrypt a message from the sender only if the recipient possesses up-to-date authority from the authorizer. Key status queries and key escrow are unnecessary in some embodiments. Other features are also provided.

Claims

exact text as granted — not AI-modified
1. A method for operating an encryption system which provides for operations (a) through (m) defined below, the method being for generating a recipient decryption key RDEC for a recipient z in the encryption system to enable the recipient to decrypt encrypted digital messages from a message sender, wherein the recipient z is n+1 levels below a root authorizer Au 0  in a hierarchy, and wherein the recipient is associated with a recipient ID-tuple (ID z1 , . . . , ID z(n+1) ) that includes identity information ID z(n+1)  associated with the recipient and identity information ID zi  associated with each of n lower-level authorizers Au 1 , . . . Au n  in the hierarchy between the root authorizer and the recipient, wherein n≧1, the method comprising performing, by one or more machines each of which comprises one or more processors, at least one of operations (Au 0 ), (Au 1 ), . . . (Au n ) each of which is performed by one or more of the one or more machines each of which comprises one or more processors, wherein:
 the operation (Au 0 ) comprises at least the operations (a) through (g); 
 the operations (a) through (m) are as follows: 
 (a) generating a first cyclic group   of elements and a second cyclic group   of elements; 
 (b) selecting a non-degenerate bilinear pairing a capable of generating an element of the second cyclic group   from two elements of the first cyclic group  ; 
 (c) selecting a root generator P 0  of the first cyclic group  ; 
 (d) selecting a random root key generation secret s 0  associated with and known to the root authorizer; 
 (e) generating a root key generation parameter Q 0 =s 0 P 0 ; 
 (f) selecting a first function H 1  capable of generating an element of the first cyclic group   from a first string of binary digits; 
 (g) selecting a second function H 2  capable of generating a second string of binary digits from an element of the second cyclic group  ; 
 (h) generating an element P zi  for each of the n lower-level authorizers, wherein P zi =H 1 (ID 1 , . . . , ID zi ) for 1≦i≦n; 
 (i) for each i such that 1≦i≦n, in the operation (Au i ), selecting a lower-level key generation secret s zi  for the lower-level authorizer Au i , wherein each lower-level key generation secret s zi  is known to its associated lower-level authorizer Au i ; 
 (j) for each i such that 1≦i≦n, in the operation (Au i−1 ), generating a lower-level secret element S zi  for the lower-level authorizer Au i , wherein S zi =S z(i−1) +s z(i−1) P zi , wherein S 0 =0; 
 (k) for each i such that 1≦i≦n, in the operation (Au i ), generating a lower-level key generation parameter Q zi  for each of the n lower-level authorizers, wherein Q zi =s zi P 0 ; 
 (l) generating a recipient element P (n+1) =H 1 (ID z1 , . . . , ID z(n) , Inf (n+1) ) associated with the recipient, wherein P z(n+1)  is an element of the first cyclic group   and wherein Inf (n+1)  is a string of binary digits; and 
 (m) in the operation (Au n ), generating the recipient decryption key RDEC as 
 
     
       
         
           
             
               S 
               
                 z 
                 ⁡ 
                 
                   ( 
                   
                     n 
                     + 
                     1 
                   
                   ) 
                 
               
             
             = 
             
               
                 
                   S 
                   zn 
                 
                 + 
                 
                   
                     s 
                     zn 
                   
                   ⁢ 
                   
                     P 
                     
                       z 
                       ⁡ 
                       
                         ( 
                         
                           n 
                           + 
                           1 
                         
                         ) 
                       
                     
                   
                 
               
               = 
               
                 
                   
                     ∑ 
                     
                       i 
                       = 
                       1 
                     
                   
                   
                     n 
                     + 
                     1 
                   
                 
                 ⁢ 
                 
                   
                     s 
                     
                       z 
                       ⁡ 
                       
                         ( 
                         
                           i 
                           - 
                           1 
                         
                         ) 
                       
                     
                   
                   ⁢ 
                   
                     P 
                     zi 
                   
                 
               
             
           
         
       
       associated with the recipient, wherein: 
       a key formed from a recipient encryption key RENC and a key formed from the recipient decryption key RDEC are a public key/private key pair  1 ; 
       the recipient encryption key RENC is generated using identity information of at least one of the authorizers; 
       each said encrypted digital message is encrypted using a recipient public key RPUB and a recipient encryption key RENC, and is decryptable by the recipient using a recipient private key RPRIV and the recipient decryption key RDEC; 
       the recipient public key RPUB and the recipient private key RPRIV form a public key/private key pair  2 , wherein the recipient private key RPRIV is a secret of the recipient. 
     
   
   
     2. The method of  claim 1 , wherein Inf (n+1)  comprises the identity of the recipient and a validity period for the identity-based decryption key RDEC. 
   
   
     3. The method of  claim 1 , wherein Inf (n+1)  comprises the recipient public key RPUB generated by the recipient. 
   
   
     4. The method of  claim 1 , wherein both the first group   and the second group   are of the same prime order q. 
   
   
     5. The method of  claim 1 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     6. The method of  claim 1 , wherein the bilinear pairing ê is efficiently computable. 
   
   
     7. The method of  claim 1  wherein the method comprises the operation (Au 0 ) performed by at least one of the machines. 
   
   
     8. The method of  claim 1  wherein the method comprises the operation (Au i ) performed by at least one of the machines for at least one i≧1. 
   
   
     9. The method of  claim 1 , wherein the method comprises the operation (Au n ) performed by at least one of the machines. 
   
   
     10. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the method of  claim 1 . 
   
   
     11. The manufacture of  claim 10  wherein the method comprises the operation (Au n ) performed by at least one of the machines. 
   
   
     12. A manufacture comprising a computer-readable manufacture comprising, in computer-readable form, the recipient decryption key RDEC generated by the method of  claim 1 . 
   
   
     13. An encryption/decryption method for operating a hierarchical certificate-based encryption system which uses the recipient decryption key RDEC generated by the method of  claim 1  and provides for operations (1), (2), (3) defined below, the encryption/decryption method comprising performing, by one or more machines each of which comprises one or more processors, at least one of operations (Se) and (Re), wherein the operation (Re) comprises the operations (1) and (3) and the operation (Se) comprises the operation (2), wherein the operations (1), (2), (3) are as follows:
 (1) generating the recipient public key/private key pair  2  for the recipient, wherein the recipient private key RPRIV is known to the recipient; 
 (2) encrypting a digital message M to generate a ciphertext C using at least the recipient public key RPUB, the root encryption parameter Q 0  and Inf (n+1) ; 
 (3) decrypting the ciphertext C to recover the digital message M using at least the recipient private key RPRIV, the lower-level key generation parameters Q z  and the recipient secret element S z(n+1)  equal to the recipient decryption key RDEC. 
 
   
   
     14. The method of  claim 13  wherein the encryption/decryption method comprises the operation (Re) performed by at least one of the machines. 
   
   
     15. The method of  claim 13  wherein the encryption/decryption method comprises the operation (Se) performed by at least one of the machines. 
   
   
     16. The method of  claim 13 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     17. The method of  claim 13 , wherein the bilinear pairing ê is efficiently computable. 
   
   
     18. The method of  claim 13 , wherein encrypting the message M comprises:
 selecting a random parameter r; and 
 generating the ciphertext C=[rP, V], wherein V is an encryption of the message M using a value g r , wherein 
 
     
       
         
           
             g 
             = 
             
               
                 
                   e 
                   ^ 
                 
                 ⁡ 
                 
                   ( 
                   
                     
                       P 
                       B 
                       ′ 
                     
                     , 
                     
                       
                         s 
                         B 
                       
                       ⁢ 
                       P 
                     
                   
                   ) 
                 
               
               ⁢ 
               
                 
                   ∏ 
                   
                     j 
                     = 
                     1 
                   
                   
                     n 
                     + 
                     1 
                   
                 
                 ⁢ 
                 
                   
                     e 
                     ^ 
                   
                   ⁡ 
                   
                     ( 
                     
                       
                         P 
                         j 
                       
                       , 
                       
                         
                           s 
                           
                             Z 
                             ⁡ 
                             
                               ( 
                               
                                 j 
                                 - 
                                 1 
                               
                               ) 
                             
                           
                         
                         ⁢ 
                         P 
                       
                     
                     ) 
                   
                 
               
             
           
         
       
       wherein s B P is the recipient public key RPUB, s B  is the recipient private key RPRIV, P′ B  is H 1 (Inf (n+1) ) and Pj=H 1 (s z(j-1) P, Inf(n+1)); and 
       wherein decrypting the ciphertext C further comprises recovering the digital message M using a value ê(rP, S z(n+1) ). 
     
   
   
     19. The method of  claim 13 , wherein the operation (Au 0 ) further comprises:
 selecting a third function H 3  capable of generating an integer of the cyclic group  /q  from a two strings of binary digits, wherein q is an order of the group  ; and 
 selecting a fourth function H 4  capable of generating one binary string from another binary string; 
 wherein encrypting the message M further comprises:
 choosing a random parameter σ∈{0,1} n ; 
 set a random key generation secret r=H 3 (σ, M); and 
 generating the ciphertext C=[U 0 , U 2 , . . . , U t , V, W], wherein U 0 =rs B P and U i =rP zi  for 2≦i≦n+1, wherein V is an encryption of the message M using a value g r , and wherein g=ê(Q 0 , P z1 ) and s B P is the recipient public key RPUB, s B  is the recipient private key RPRIV, wherein W=E H4(σ) (M), E is a symmetric encryption scheme, and H 4(σ)  is the key used with E; and 
 
 wherein decrypting the ciphertext C further comprises:
 recovering the random binary string σ using a ratio of (i) ê(U 0 ,S z(n+1) ) and (ii) the product of values ê(Q i−1 , U i ) from i=2 to i=n+1; and 
 recovering the message M using M=E −1   H4(σ)  (W). 
 
 
   
   
     20. The method of  claim 19 , wherein the bilinear pairing ê is efficiently computable pairing. 
   
   
     21. The method of  claim 19 , wherein the operation (Re) further comprises authenticating the ciphertext C by:
 computing a random integer r′=H 3 (σ, M); and 
 confirming that U 0 =r′P 0  and Ui=r′P zi  for 2≦i≦n+1. 
 
   
   
     22. The method of  claim 13 , wherein the plurality of authorizers further includes at least m lower-level authorizers Au y1 , . . . , Au ym  in the hierarchy between the root authorizer and the sender y, wherein m≧1, wherein l authorizers Au 0 =Au y0 , . . . , Au l =Au yl  of the authorizers in the hierarchy are common hierarchical ancestors to both the sender y and the recipient z, wherein l≧1, and wherein the recipient y is associated with a recipient ID-tuple (ID y1 , . . . , ID y(m+1)  that includes identity information ID y(m+1)  associated with the sender y and identity information ID yi  associated with each of the m lower-level authorizers in the hierarchy between the root authorizer and the sender y, wherein:
 for each i=1, . . . , m, an element P yi  is generated for the lower-level authorizer Au yi , wherein P yi =H 1 (ID y1 , . . . , ID yi ) for 1≦i≦m, and wherein P yi =P zi  for all i<l; 
 for each i=1, . . . , m, a lower-level key generation secret s yi  is selected for the lower-level authorizer Au yi , wherein s yi =s zi  for all i<l; 
 for each i=1, . . . , m, a lower-level secret element S yi  is selected for the lower-level authorizer Au yi , wherein S yi =S y(i-1) +s y(i-1) P yi  for 1≦i≦m, and wherein S yi =S zi  for all i≦l; 
 for each i=1, . . . , m, a lower-level key generation parameter Q yi  is generated for the lower-level authorizer Au yi , wherein Q yi =s yi P 0  for 1≦i≦m, and wherein Q yi =Q zi  for all i≦l; 
 wherein a sender element P y(m+1) =H 1 (ID y1 , . . . , ID y(m+1) , Inf s(m+1) ) is generated associated with the sender y; 
 wherein a sender secret element 
 
     
       
         
           
             
               S 
               
                 y 
                 ⁡ 
                 
                   ( 
                   
                     m 
                     + 
                     1 
                   
                   ) 
                 
               
             
             = 
             
               
                 
                   S 
                   ym 
                 
                 + 
                 
                   
                     s 
                     ym 
                   
                   ⁢ 
                   
                     P 
                     
                       y 
                       ⁡ 
                       
                         ( 
                         
                           m 
                           + 
                           1 
                         
                         ) 
                       
                     
                   
                 
               
               = 
               
                 
                   ∑ 
                   
                     i 
                     = 
                     1 
                   
                   
                     m 
                     + 
                     1 
                   
                 
                 ⁢ 
                 
                   
                     s 
                     
                       y 
                       ⁡ 
                       
                         ( 
                         
                           i 
                           - 
                           1 
                         
                         ) 
                       
                     
                   
                   ⁢ 
                   
                     P 
                     yi 
                   
                 
               
             
           
         
       
     
     associated with the sender is generated, wherein Inf s(m+1)  comprises a validity period for the recipient secret element;
 wherein said encrypting uses at least the information comprising Inf (n+1)  and the lower-level key generation parameters Q yi  for i≧l and the sender secret element S y(m+1) , but does not use the lower-level key generation parameters Q yi  for i<l; and 
 said decrypting uses at least the recipient private key RPRIV and the lower-level key generation parameters Q zi  for i≧l and the recipient secret element S z(n+1) , but not the lower-level key generation parameters Q zi  for i<l. 
 
   
   
     23. The method of  claim 22 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     24. The method of  claim 22 , wherein encrypting the message M further includes:
 selecting a random parameter r; and 
 encrypting the message M to generate the ciphertext C=[U 0 , U l+1 , . . . , U n+1 , V], wherein U 0 =rs B P and U i =rP zi  for 2≦i≦n+1, wherein V is an encryption of M using a value g yl   r , wherein g yl =ê(Q 0 , P z1 ), wherein s B P is the recipient public key RPUB, s B  is the recipient private key RPRIV, and wherein 
 
     
       
         
           
             
               
                 g 
                 yl 
               
               = 
               
                 
                   
                     e 
                     ^ 
                   
                   ⁡ 
                   
                     ( 
                     
                       
                         P 
                         0 
                       
                       , 
                       
                         S 
                         
                           y 
                           ⁡ 
                           
                             ( 
                             
                               m 
                               + 
                               1 
                             
                             ) 
                           
                         
                       
                     
                     ) 
                   
                 
                 
                   
                     ∏ 
                     
                       i 
                       = 
                       
                         l 
                         + 
                         1 
                       
                     
                     
                       m 
                       + 
                       1 
                     
                   
                   ⁢ 
                   
                       
                   
                   ⁢ 
                   
                     
                       e 
                       ^ 
                     
                     ⁡ 
                     
                       ( 
                       
                         
                           Q 
                           
                             y 
                             ⁡ 
                             
                               ( 
                               
                                 i 
                                 - 
                                 1 
                               
                               ) 
                             
                           
                         
                         , 
                         
                           P 
                           yi 
                         
                       
                       ) 
                     
                   
                 
               
             
             ; 
           
         
       
     
     decrypting the ciphertext C further includes recovering the message M using a ratio of (i) ê(U 0 ,S z(n+1) ) and (ii) the product of values ê(Q z(i-1) ,U zi ) from i=l+1 to i=n+1. 
   
   
     25. A method of  claim 24 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     26. A method of  claim 22 , further comprising:
 selecting a third function H 3  capable of generating an integer of the cyclic group  /q  from a two strings of binary digits; and 
 selecting a fourth function H 4  capable of generating one binary string from another binary string; 
 wherein encrypting the message M further comprises, by at least one of the machines:
 selecting a random binary string σ∈{0,1} n ; 
 computing a random integer r=H 3 (σ, M); and 
 generating the ciphertext C=[U 0 , U l+1 , . . . , U n+1 , V, W], wherein U 0 =rs B P and U i =rP zi  for 2≦i≦n+1, wherein V is an encryption of the message M using a value g yl   r , wherein g yl =ê(Q 0 , P z1 ), wherein s B P is the recipient public key RPUB, s B  is the recipient private key RPRIV, and wherein W=wherein W=E H4(σ) (M), E is a symmetric encryption scheme, and H 4(σ)  is the key used with E, wherein 
 
 
     
       
         
           
             
               
                 g 
                 yl 
               
               = 
               
                 
                   
                     e 
                     ^ 
                   
                   ⁡ 
                   
                     ( 
                     
                       
                         P 
                         0 
                       
                       , 
                       
                         S 
                         
                           y 
                           ⁡ 
                           
                             ( 
                             
                               m 
                               + 
                               1 
                             
                             ) 
                           
                         
                       
                     
                     ) 
                   
                 
                 
                   
                     ∏ 
                     
                       i 
                       = 
                       
                         l 
                         + 
                         1 
                       
                     
                     
                       m 
                       + 
                       1 
                     
                   
                   ⁢ 
                   
                       
                   
                   ⁢ 
                   
                     
                       e 
                       ^ 
                     
                     ⁡ 
                     
                       ( 
                       
                         
                           Q 
                           
                             y 
                             ⁡ 
                             
                               ( 
                               
                                 i 
                                 - 
                                 1 
                               
                               ) 
                             
                           
                         
                         , 
                         
                           P 
                           yi 
                         
                       
                       ) 
                     
                   
                 
               
             
             ; 
           
         
       
       wherein decrypting the ciphertext C further comprises, by at least one of the machines:
 recovering the random binary string σ using a ratio of (i) ê(U 0 ,S z(n+1) ) and (ii) the product of values ê(Q z(i-1) ,U zi ) from i=l+1 to i=n+1; and 
 recovering the message M using M=E −1   H4(σ)  (W). 
 
     
   
   
     27. A method of  claim 26 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     28. A method of  claim 26 , further comprising, by at least one of the machines, authenticating the ciphertext C by:
 computing an experimental random integer r′=H 3 (σ,M); and 
 confirming that U 0 =r′P 0  and Ui=r′P zi  for l+1≦i≦n+1. 
 
   
   
     29. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the encryption/decryption method of  claim 13 . 
   
   
     30. The manufacture of  claim 29  wherein the encryption/decryption method comprises the operation (Re) performed by at least one of the machines. 
   
   
     31. The manufacture of  claim 29  wherein the encryption/decryption method comprises the operation (Se) performed by at least one of the machines. 
   
   
     32. A manufacture comprising a computer-readable manufacture comprising, in computer-readable form, the ciphertext C generated by the encryption/decryption method of  claim 13 . 
   
   
     33. A method for operating a public key encryption scheme which comprises blocks (a) through (f) defined below, each block being implemented by one or more machines each of which comprises one or more processors, the public key encryption scheme providing for a sender, a recipient and n authorizers Au 1 , . . . , Au n , wherein n≧2, wherein the recipient can decrypt a digital message from the sender only if the recipient possesses authorization from the authorizers, the method comprising performing, by one or more of the one or more machines each of which comprises one or more processors, at least one of operations (Re), (Se), (Au 1 ), . . . , (Au n ) each of which is performed by one or more of the one or more machines each of which comprises one or more processors, wherein the blocks (a) through (t) are as follows:
 block (a) is for generating, in the operation (Re), a recipient public key/private key pair for the recipient, wherein the recipient private key is a secret of the recipient; 
 block (b) is for generating, for each i (1≦i≦n); in the operation (Au i ), a secret key s i  for the authorizer Au i , wherein the secret key s i  is known to the authorizer Au i ; 
 block (c) is for generating, for each i (1≦i≦n), in the operation (Au i ), a public key for the authorizer Au i , the public key being generated using at least the secret key s i  of the authorizer Au i ; 
 block (d) is for generating, for each i (1≦i≦n), in the operation (Au i ), a signature for the authorizer Au i  by signing a string of binary digits M 1  with the secret key s i  of the authorizer Au i ; 
 block (e) is for encrypting, in the operation (Se), the digital message to form a ciphertext using at least the recipient's public key, the strings of binary digits M 1  signed by the authorizers, and the public keys of the authorizers; 
 block (f) is for decrypting, in the operation (Re), the ciphertext using at least the recipient's private key and the signatures generated by the authorizers. 
 
   
   
     34. The method of  claim 33 , wherein at least one of the strings of binary digits M i  is related to a parameter determining a validity period of the signatures generated by the authorizers. 
   
   
     35. The method of  claim 34 , wherein at least one of the strings of binary digits M i  is generated from information comprising the identity of the recipient. 
   
   
     36. The method of  claim 34 , wherein at least one of the strings of binary digits M i  is generated from information comprising the recipient public key. 
   
   
     37. The method of  claim 36  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     38. The method of  claim 36  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     39. The method of  claim 33 , wherein the public key encryption scheme defines:
 a first cyclic group   of elements and a second cyclic group   of elements; 
 a non-degenerate bilinear pairing ê capable of generating an element of the second cyclic group   from two elements of the first cyclic group  ; 
 a generator P of the first cyclic group  ; and 
 a first function H 1  capable of generating an element of the first cyclic group   from a string of binary digits; 
 wherein the public key of each authorizer Au i  is s i P; 
 wherein the signature for each authorizer Au i  is S i =s i P Mi  wherein P Mi  is a value of the function H 1  on data which depends on M i . 
 
   
   
     40. The method of  claim 39  wherein P Mi =H 1 (s i P,M i ). 
   
   
     41. The method of  claim 39 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     42. The method of  claim 33  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     43. The method of  claim 33  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     44. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the method of  claim 33 . 
   
   
     45. A manufacture comprising a computer-readable manufacture comprising, in computer-readable form, the decryption key generated by the method of  claim 33 . 
   
   
     46. A method for operating a public key encryption scheme which comprises blocks (a) through (g) defined below, each block being implemented by one or more machines each of which comprises one or more processors, the public key encryption system providing for a sender, a recipient and a plurality of authorizers including at least a root authorizer Au 0  and n lower-level authorizers Au 1 , . . . , Au n  in the hierarchy between the root authorizer and the recipient, wherein n≦1 and wherein the recipient can decrypt a digital message from the sender only if the recipient possesses authorization from the authorizers, the method comprising performing, by one or more of the one or more machines each of which comprises one or more processors, at least one of operations (Re), (Se), (Au 0 ), (Au 1 ), . . . , (Au n ) each of which is performed by one or more of the one or more machines each of which comprises one or more processors, wherein the blocks (a) through (g) are as follows:
 block (a) is for generating, in the operation (Re), a recipient public key/private key pair for the recipient, wherein the recipient private key is a secret of the recipient; 
 block (b) is for generating, for each i (0≦i≦n), in the operation (Au i ), a secret key s i  for the authorizer Au i , wherein each secret key s i  is known to the authorizer Au i ; 
 block (c) is for generating, for each i(1≦i≦n), in the operation (Au i ), a public key for the authorizer Au i , the public key being generated using at least the secret key s i ; 
 block (d) is for using, for each i (1≦i≦n), in the operation (Au j ) for some j<i, by the authorizer Au j , the authorizer Au j 's secret key s j  to certify a document comprising the public key of the authorizer Au i  to generate a signature; 
 block (e) is for using, in the operation (Au n ), by the authorizer Au n , the authorizer Au n 's secret key s n  to certify a document comprising the recipient public key to generate a signature; 
 block (f) is for encrypting, in the operation (Se), the digital message to form a ciphertext using at least the recipient's public key and the public keys of the authorizers and the documents; and 
 block (g) is for decrypting, in the operation (Re), the ciphertext using at least the recipient's private key and the signatures generated by the authorizers. 
 
   
   
     47. The method of  claim 46 , wherein at least one of the certified documents is related to a parameter determining a validity period of the signatures generated by the authorizers. 
   
   
     48. The method of  claim 47  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     49. The method of  claim 47  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     50. The method of  claim 46 , wherein the document comprising the recipient public key is generated from information comprising the identity of the recipient. 
   
   
     51. The method of  claim 46 , wherein:
 a first cyclic group  1 of elements and a second cyclic group  2 of elements are generated; 
 a non-degenerate bilinear pairing ê is selected which is capable of generating an element of the second cyclic group   from two elements of the first cyclic group  ; 
 a generator P of the first cyclic group   is selected; 
 for each i (0≦i≦n), the public key of the authorizer Au i  is s 1 P; 
 a first function H 1  is selected with values in the first cyclic group  ; 
 for each i (1≦i≦n−1), an element P Mi  is generated for the lower level authorizer Au i , wherein P Mi =H i (s i P,M i+1 ) and wherein M i+1  is related to the identity and public key of the authorizer immediately below that authorizer in the hierarchy; and 
 signing the elements P Mi  to generate the signatures S i =s i P Mi . 
 
   
   
     52. The method of  claim 51 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     53. The method of  claim 46  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     54. The method of  claim 46  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     55. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the method of  claim 46 . 
   
   
     56. A method for operating a public-key encryption scheme which comprises blocks (a) through (d) defined below, each block being implemented by one or more machines each of which comprises one or more processors, the public-key encryption scheme providing for a sender, a recipient, and an authorizer, wherein a digital message is encrypted by the sender and decrypted by the recipient, the method comprising performing, by one or more of the one or more machines each of which comprises one or more processors, at least one of operations (Se), (Re), (Au) each of which is performed by one or more of the one or more machines each of which comprises one or more processors, wherein the blocks (a) through (d) are as follows:
 block (a) is for generating, in the operation (Re), a recipient public key/recipient private key pair, wherein the recipient private key is a secret of the recipient; 
 block (b) is for selecting, in the operation (Au), a key generation secret known to the authorizer; 
 block (c) is for generating, in the operation (Au), a recipient decryption key associated with time period i, wherein the recipient decryption key associated with time period i is related to the key generation secret, and wherein recipient decryption keys associated with time periods earlier than i, but not the recipient decryption keys associated with time periods later than i, can be generated from the recipient decryption key associated with time period i; 
 block (d) is for encrypting, in the operation (Se), the digital message to form a ciphertext using at least the recipient public key, the time period parameter associated with time period i or a time period parameter associated with an earlier time period, and a recipient encryption key to create an encrypted digital message; 
 block (e) is for decrypting, in the operation (Re), the ciphertext using at least the recipient private key and the recipient decryption key associated with time period i. 
 
   
   
     57. The method of  claim 56  wherein the recipient decryption key associated with time period i is related to information identifying the recipient. 
   
   
     58. The method of  claim 56  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     59. The method of  claim 56  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     60. The method of  claim 56  wherein the method comprises the operation (Au) performed by at least one of the machines. 
   
   
     61. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the method of  claim 56 . 
   
   
     62. A method for operating a public-key encryption scheme which comprises blocks (a) through (g) defined below, each block being implemented by one or more machines each of which comprises one or more processors, the public-key encryption scheme providing for a sender of a digital message, for a plurality of clients including a recipient of the digital message, and for an authorizer, wherein the digital message is encrypted by the sender and decrypted by the recipient, the method comprising performing, by one or more of the one or more machines each of which comprises one or more processors, at least one of operations (Se), (Re), (Au) each of which is performed by one or more of the one or more machines each of which comprises one or more processors, wherein the blocks (a) through (g) are as follows:
 block (a) is for generating, in the operation (Re), a recipient public key/recipient private key pair for the recipient, wherein the recipient private key is a secret of the recipient; 
 block (b) is for associating each client with a respective leaf node of a tree in which a non-leaf node is operable to have at least two child nodes; 
 block (c) is for generating, for each node N 1  which is either the recipient leaf node or the recipient leaf node's ancestor node, an encryption key associated with the node N 1 ; 
 block (d) is for generating, in the operation (Au), one or more authorizer's secrets known to the authorizer and comprising a first master secret s C ; 
 block (e) is for generating, in the operation (Au), a recipient decryption key associated with at least a selected node which is the recipient leaf node or an ancestor of the recipient leaf node, the recipient decryption key being also associated with the first master secret, wherein the selected node is not an ancestor of a leaf node associated with any client not authorized by the authorizer, wherein the recipient decryption key associated with the selected node forms a private key/public key pair with the encryption key associated with the selected node; 
 block (f) is for encrypting, in the operation (Se), the digital message to create an encrypted digital message using at least the recipient public key and one or more of the encryption keys associated with the recipient leaf node and the recipient leaf node's ancestor nodes, the one or more of the encryption keys comprising the encryption key associated with the selected node; and 
 block (g) is for decrypting, in the operation (Re), the encrypted digital message using at least the recipient private key and the recipient decryption key associated with the selected node. 
 
   
   
     63. The method of  claim 62  wherein the selected node is an ancestor of the recipient leaf node. 
   
   
     64. The method of  claim 62  wherein the tree is a B-tree. 
   
   
     65. The method of  claim 62 , wherein the encryption key for at least the selected node is related to a validity period parameter defining a validity period for the recipient decryption key. 
   
   
     66. The method of  claim 65 , further comprising generating a long-lived certificate for the recipient, wherein the certificate comprises the recipient public key, a value identifying the recipient, and the validity period parameter. 
   
   
     67. The method of  claim 62 , wherein the nodes in the tree are associated with points on an elliptic curve or abelian variety. 
   
   
     68. The method of  claim 62 , wherein the tree is a Merkle tree. 
   
   
     69. The method of  claim 62 , wherein the operation (Au) comprises associating each node with an element P node  of a group  ;
 wherein the recipient decryption key is related to a product of at least one of the authorizer's one or more secrets and the element P node  for the selected node. 
 
   
   
     70. The method of  claim 69 , wherein the element P node  for the selected node is related to a validity period parameter defining a validity period for the recipient decryption key. 
   
   
     71. The method of  claim 62 , wherein the operation (Au) comprises:
 generating a first cyclic group   of elements and a second cyclic group   of elements; 
 selecting a non-degenerate bilinear pairing ê capable of generating an element of the second cyclic group   from two elements of the first cyclic group  ; 
 selecting a generator P of the first cyclic group  ; 
 generating a key generation parameter Q=s C P; 
 selecting a first function H 1  capable of generating an element of the first cyclic group   from a first string of binary digits; 
 generating an element P node =H 1 (Inf B ) for at least each of m nodes defining the path from the recipient leaf node to the root node of the tree, wherein Inf B  is related to the node; 
 wherein encrypting the digital message comprises: 
 selecting a random key generation secret r; 
 obtaining a value rP and also obtaining, for each node (and its value P node ) in the path from the recipient leaf node to the root inclusive, an encryption of the digital message using a value ê(P,P node ) rs     C   . 
 
   
   
     72. The method of  claim 71 , wherein Inf B  is also associated with a validity period parameter defining a validity period for the recipient decryption key. 
   
   
     73. The method of  claim 71 , wherein the first cyclic group   is an additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group   is a multiplicative subgroup of a finite field. 
   
   
     74. The method of  claim 62  wherein the operation (Au) comprises associating each node with an element P node  of a group  ;
 wherein the element P node  for the selected node is unrelated to a validity period parameter defining a validity period for the recipient decryption key, but the element P node  for at least one other node N time  is related to the validity period parameter; and 
 the recipient decryption key is related to a sum of terms each of which is a product of one of the authorizer's secrets times the element P node  for a respective one of said nodes, the respective ones of said nodes including the selected node and said at least one other node N time . 
 
   
   
     75. The method of  claim 74  wherein the node N time  is the root node. 
   
   
     76. The method of  claim 75  wherein the recipient decryption key comprises values S C P time +xP snode  and xP wherein P time  is the P node  value for the node N time , the value x is one of the authorizer's secrets which is not the first master secret, the value P snode  is the P node  value for the selected node, and P is an element of the group  . 
   
   
     77. The method of  claim 76  wherein the group   is cyclic, and P is a generator of the group  . 
   
   
     78. The method of  claim 76  wherein encrypting the digital message comprises generating a random value r and determining:
 (i) value rP; 
 (ii) values rΣP node  wherein each ΣP node  corresponds to a node N i  and is the sum of the P node  values for all the nodes in a path from the root node to a node N i  inclusive, wherein each node N i  is the recipient leaf node or an ancestor of the recipient leaf node; and 
 (iii) a value which is an encryption of the digital message using a value ê(S C P,P time ) r , wherein ê is a predefined non-degenerate bilinear pairing which maps  ×  into a group  , the bilinear pairing being known to the sender; 
 wherein decrypting the digital message comprises the recipient obtaining the values (i) and (ii) and determining the value (iii) by dividing ê(rP,s C P time +xΣP node     1   ) by ê(xP,rΣP node     1   ), wherein ΣP node     1    is the value ΣP node  defined in (ii) and corresponding to the selected node. 
 
   
   
     79. The method of  claim 62  wherein the recipient decryption key is an element of a group and is a sum of values each of which is a recipient decryption key generated for a respective period of time. 
   
   
     80. The method of  claim 62  wherein the method comprises the operation (Se) performed by at least one of the machines. 
   
   
     81. The method of  claim 62  wherein the method comprises the operation (Re) performed by at least one of the machines. 
   
   
     82. The method of  claim 62  wherein the method comprises the operation (Au) performed by at least one of the machines. 
   
   
     83. A manufacture comprising a computer-readable manufacture comprising a computer-readable computer program operable to cause a computer to perform the method of  claim 62 .

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.